Table of Contents
Advertisement
Configuring IPsec
Securing Traffic Using IPsec
Securing traffic using IPsec requires the following main procedures below:
•
Master Security Key—Used to encrypt SA keys when stored on the switch.
•
Policies—Determines which traffic should be processed using IPsec.
•
Policy Rules—Determines whether AH, ESP, or a combination of both should be used.
•
Security Associations (SAs)—Determines which algorithms should be used to secure the traffic.
•
SA Keys—Determines the keys to be used with the SA to secure the traffic.
Master Security Key
The master security key is used to encrypt and decrypt the configured SA keys that are saved to permanent
storage (e.g., boot.cfg file).
Therefore, configuring a master key is VITALLY IMPORTANT and STRONGLY RECOMMENDED. A
warning message will be logged if the config is saved witout a Master Security Key being set.
IPsec Policy
IPsec Policies define which traffic requires IPsec processing. The policy requires the source and
destination of the traffic to be specified as IPv6 addresses. The policy may cover all traffic from source to
destination or may further restrict it by specifying an upper-layer protocol, source, and/or destination
ports. Each policy is unidirectional, applying either to inbound or outbound traffic. Therefore, to cover all
traffic between a source and destination, two policies would need to be defined.
IPsec Policy Rules
Rules are created and applied to policies. Rules determine what type of encryption or authentication
should be used for the associated policy. For example, for a security policy where an IPv6 payload should
be protected by an ESP header, which should then be protected by an AH header, two rules would be
applied to the policy, one for ESP and one for AH.
Security Association (SA)
A Security Association, more commonly referred to as an SA, is a basic building block of IPsec. It
specifies the actual IPsec algorithms to be employed. SA is a unidirectional agreement between the
participants regarding the methods and parameters to use in securing a communication channel. A
Security Association is a management tool used to enforce a security policy in the IPsec environment. SA
actually specifies encryption and authentication between communicating peers.
Manually configured SAs are unidirectional; bi-directional communication requires at least two SAs, one
for each direction. Manually-configured SAs are specified by a combination of their SPI, source and
destination addresses. However, multiple SAs can be configured for the same source and destination
combination. Such SAs are distinguished by a unique Security Parameter Index (SPI).
SA Keys
Keys are used for encrypting and authenticating the traffic. Key lengths must match what is required by
the encryption or authentication algorithm specified in the SA. Key values may be specified either in
hexadecimal format or as a string.
Note. The OmniSwitch currently supports manually configured SAs only.
OmniSwitch AOS Release 8 Network Configuration Guide
If no master security key is configured, SA keys are stored unencrypted.
December 2017
IPsec Overview
page 18-8
- Quick Links:
- Ethernet Port Defaults
Hide quick links:
Advertisement
Table of Contents
